Item #2: typically FIPS-140 certified code is delivered as a binary, tested by a lab and checked at both source and binary level, so the opportunity to modify is not there (DAC test will fail). With OpenSSL source that's not the case unless the developer of the product (who creates the binaries) gets it checked/certified by a lab as part of their product. Obviously if I lie and say my product is certified and it's not, I can but that's pretty stupid since the product will be listed on NIST's site as certified if it is. Will NIST list the OpenSSL crypto library on their site? Chris
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ben Laurie Sent: Friday, September 05, 2003 2:02 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: FIPS mode Chris Brook wrote: > If I read your reply right, responsibility for DAC and Known Answer Test > checking is the responsibility of the app developer, though you will provide > the DAC checksum for the crypto module. Have you also included the KATs, > since they essentially exist the OpenSSL test modules? _Everything_ is included. > Since OpenSSL is providing source code (which presumably includes the DAC > checksum generation code), what's to prevent a user modifying the crypto > code and regenerating the checksum? Nothing. What's to prevent you claiming you're using FIPS-140 certified stuff and not doing so? Nothing. That's not the way it works. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
